Data Protection Agreement
IML S.L.U., as identified in the Agreement (“Company”) and the legal entity that entered into an Agreement ("Affiliate Partner") with the Company for the provisions of the services described in the principal agreement entered between the parties (as amended for time to time, the "Agreement"), are agreeing to these Data Protection Agreement ("DPA").
This DPA is entered into by Company and Affiliate Partner and supplements the Agreement, and shall be effective, and replace any previously applicable terms relating to their subject matter, during the duration of the Agreement.
If you are accepting this DPA on behalf of Affiliate Partner, you warrant that: (a) you have full legal authority to bind Affiliate Partner to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Affiliate Partner, to this DPA. If you do not have the legal authority to bind Affiliate Partner, please do not accept this DPA.
- INTRODUCTION
- This DPA reflect the Parties’ agreement on the processing of Personal Data in connection with the Data Protection Laws.
- Any ambiguity in this DPA shall be resolved to permit the Parties to comply with all Data Protection Laws.
- In the event and to the extent that the Data Protection Laws impose stricter obligations on the Parties than under this DPA, the Data Protection Laws shall prevail.
- DEFINITIONS AND INTERPRETATION
- In this DPA:
- “Affiliate” means any person or entity directly or indirectly controlling, controlled by, or under common control with a Party. For the purpose of this definition, "control" (including, with correlative meanings, the terms "controlling", "controlled by" and "under common control with") means the power to manage or direct the affairs of the person or entity in question, whether by ownership of voting securities, by contract or otherwise.
- “Approved Jurisdiction“ means a jurisdiction approved as having adequate legal protections for data by the European Commission, currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
- “Data Protection Laws” means, as applicable, any and/or all applicable domestic and federal or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), Data Protection Act 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR") and any amendment or replacements to the foregoing.
- “Data Subject” means a natural person to whom Personal Data relates.
- “Personal Data” means any information which could be used, either directly or by employing additional means, to identify a natural person, and that is shared with or processed by the Affiliate Partner in the context of the performance of the Agreement..
- “Security Incident“ shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach will comprise a Security Incident
- “Standard Contractual Clauses” the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021, as available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en.
- “Terms Effective Date” means the effective date of the Agreement.
- The terms “controller”, “processing” and “processor” as used in this DPA have the meanings given to them in Data Protection Laws. Where applicable, controller shall be deemed as a “Business“ and processor shall be deemed to be a “Service Provider“, as these terms are defined in the CCPA.
- Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
- APPLICATION OF THIS DPA
- This DPA will only apply to the extent all of the following conditions are met:
- Either Party processes Personal Data that is made available by the other Party in connection with the Agreement;
- The Data Protection Laws apply to the processing of Personal Data.
- This DPA will only apply to the services for which the Parties agreed to in the Agreement, which incorporates the DPA by reference.
- ROLES AND RESTRICTIONS ON PROCESSING
- Independent Controllers. Each Party:
- is an independent controller of Personal Data under the Data Protection Laws;
- as required under the Data Protection Laws, maintain accurate written records of all the processing activities conducted by that Party in relation to any Personal Data for the purposes of performing its respective obligations under the Agreement;
- will individually determine the purposes and means of its processing of Personal Data;
- will be responsible to ensure that any Personal Data collected and processed by such Party is accurate and remains accurate for the duration of its processing;
- will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data;
- will be responsible to exercise and respond to any requests by data subjects to exercise their rights under Data Protection Law, including (but not limited to) Articles 15-22 of the GDPR (“Data Subject Rights”), and shall provide reasonable cooperation and assistance to the other Party in connection with exercising Data Subject Rights;
- will promptly notify the other Party of any circumstances in which such Party is unable or becomes unable to comply with this DPA or Data Protection Laws, or any actual or potential changes to Data Protection Laws, if this shall affect the other Party’s ability to comply with its obligations under this DPA or Data Protection Laws.
- Restrictions on Processing. Section 4.1 (Independent Controllers) will not affect any restrictions on either Party’s rights to use or otherwise process Personal Data under the Agreement.
- Sharing of Personal Data. In performing its obligations under the Agreement, the Affiliate Partner shall process Personal Data (i) only for the purposes set forth in the Agreement or as otherwise agreed to in writing by the Parties, provided such processing strictly complies with (a) Data Protection Laws, and (b) its obligations under the Agreement (the “Permitted Purposes”), provided that it will not do or permit any act or omission which would cause the Company to incur any liability under Data Protection Laws, and (ii) solely during the term of the Agreement, and shall securely delete or return the copies of the disclosed Personal Data to the Company (by secure file transfer in such format as the Company reasonably requests) and cease the processing of the disclosed Personal Data, and shall certify to the Company to that effect, unless and only insofar as the processing of the Personal Data is required for the fulfillment of the Permitted Purposes or is permissible under Data Protection Laws, and in which case the Affiliate Partner will inform the Company of any such requirement and only further process the Personal Data as necessary to comply with the foregoing.
- Lawful grounds and transparency. Each Party shall maintain a publicly-accessible privacy notice that satisfies transparency disclosure requirements of Data Protection Laws, and warrants and represents that it has provided Data Subjects with appropriate transparency regarding data collection and use and all required notices, in accordance with Data Protection Law, including Articles 13 and 14 of the GDPR. Where either Party collects Personal Data and discloses such Personal Data to the other Party, then the disclosing Party shall ensure it has obtained and recorded any and all consents or permissions necessary under Data Protection Laws, or other applicable lawful grounds, in order for itself and the other Party to Process such Personal Data as set out herein. The foregoing shall not derogate from either Party’s responsibilities under the Data Protection Laws (such as the requirement to provide information to the data subject in connection with the processing of Personal Data). Both Parties will cooperate in good faith in order to identify the information disclosure requirements and each party hereby permits the other Party to identify it in the other Party’s privacy policy, and to provide a link to the other Party’s privacy policy in its privacy policy.
- Where either Party subcontracts the processing activities of Personal Data contemplated herein to a third party, it shall ensure that such third party enters into written contractual obligations which are (in the case of a third party controller) no less onerous than those imposed by this DPA or (in the case of a third party processor) compliant with Article 28 of the GDPR. Each Party shall be liable for the acts or omissions of its subcontractors to the same extent it is liable for its own actions or omissions under this DPA.
- PERSONAL DATA TRANSFERS
- Where the GDPR is applicable, either Party may transfer Personal Data outside the European Economic Area or an Approved Jurisdiction, subject to one of the appropriate safeguards in Article 46 of the GDPR.
- DIRECT MARKETING
- If Partner collects or process Personal Data for the purpose of carrying out direct marketing activities (including, without limitation, email campaigns or test-message campaigns; collectively “Direct Marketing”), which promote services or products offered by the Partner or other third parties ("Communications"), then Partner shall:
- Comply with any and all Data Protection Laws that apply to such activity, including without limitation the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the e-Privacy Directive;
- Ensure that is has provided the data subjects with any notice necessary as required under Data Protection Laws, prior to delivering any Communications;
- Ensure that is has obtained and recorded the data subjects’ affirmative consent or otherwise has a legitimate interest, as expressly permissible under applicable Data Protection Laws, for the purpose of carrying out Direct Marketing, prior to delivering any Communications;
- Upon Company’s request, provide the Company with any and all records relating the data subjects’ affirmative consent and notices provided to the data subjects;
- Ensure that any and all Communications include a clear and conspicuous notice of the opportunity to opt-out of receiving future Communications, in an easy manner;
- Comply with any request to opt-out or unsubscribe from receiving Communications, as soon as technically feasible, and in any event within no later than seven (7) days as of the receipt of such request;
- Ensure that the recipient of a Communications shall not be required to pay a fee or provide any other information for the purpose of opting-out of receiving Communications;
- Ensure that Communications are not delivered to any data subject that were indicated, either by the Company or otherwise, to be excluded from the receipt of Communications, as directed by the Company, from time to time.
- Ensure that any and all Communications contain a clear and conspicuous identification that it is an advertisement or solicitation, and that the Communications do not contain any false or misleading information.
- PROTECTION OF PERSONAL DATA.
- The Parties will provide a level of protection for Personal Data that is at least equivalent to that required under Data Protection Laws. Both Parties shall implement appropriate technical and organizational measures to protect the Personal Data.
- In the event that a Party suffers a confirmed Security Incident with respect to Personal Data disclosed from the other Party, such Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident. In the event that a Party suffers a confirmed Security Incident, then such Party shall be responsible to notify the supervisory authority and/or the Data Subjects with respect to such Security Incident, as required under Data Protection Laws.
- MUTUAL ASSISTANCE
- Each Party shall:
- appoint at least one representative as point of contact and responsible manager for all issues arising out of the Data Protection Laws (a "Designated Representative"); the Designated Representative(s) of both Parties will work together in good faith to reach an agreement with regards to any issues arising from time to time in relation to the processing of Personal Data in connection with the Agreement and this DPA;
- The Company’s Designated Representative is: DPO@ImLive.com .
- The Affiliate Partner’s Designated Representative shall be introduced and the Affiliate will provide his details to the Company’s Designated Representative.
- use reasonable measures to consult with the other Party about any notices given to Data Subjects in relation to the processing of Personal Data under the Agreement;
- inform the other Party (without undue delay) in the event that it receives a Data Subject request related solely and exclusively to the other Party's respective processing activities and provide all reasonable assistance to ensure Data Subject requests are completed within the timeframe set out in Data Protection Laws;
- provide the other Party with reasonable assistance (having regard to the data available to it) to enable the other Party to comply with any Data Subject request received by the other Party and to respond to any other queries or complaints from Data Subjects;
- provide the other Party with such assistance as the other Party may reasonably request from time to time to enable the other Party to comply with its obligations under the Data Protection Laws including (without limitation) in respect of security, breach notifications, impact assessments and consultations with supervisory authorities or other regulators;
- provide the other Party with such information as it may reasonably request in order to: (a) monitor the technical and organizational measures being taken to ensure compliance with the Data Protection Laws, or (b) satisfy any legal or regulatory requirements, including information reporting, disclosure and other related obligations to any regulatory authority from time to time;
- in the event of an actual or potential Security Incident which does or is reasonably likely to affect the respective processing activities of both Parties, liaise with the other Party in good faith to consider what action is required in order to resolve the issue in accordance with the Data Protection Laws, and provide such reasonable assistance as is necessary to the other Party to facilitate the handling of such Security Incident in an expeditious and compliant manner.
- OBLIGATIONS UNDER THE CCPA
- To the extent that Affiliate Partner processes Personal Data of Californian residents for a Business Purpose (as it is defined under the CCPA), it shall be regarded as a Service Provider and be subject to the following obligations:
- Affiliate Partner shall not sell such Personal Data (as the term "sell" is defined under the CCPA).
- Affiliate Partner is prohibited from retaining, using, or disclosing such Personal Data for a commercial purpose other than providing the services to Company under the Agreement and from retaining, using, or disclosing such Personal Data outside of the Agreement.
- Affiliate Partner understands its obligations under this clause and will comply with them.
- Notwithstanding the above, Affiliate Partner shall not sell Personal Data it received from or collected on behalf of the Company.
- RESOLUTION OF DISPUTES WITH DATA SUBJECTS OR SUPERVISORY AUTHORITIES
- If either Party is the subject of a claim by a Data Subject or a supervisory authority or receives a notice or complaint from a supervisory authority relating to its respective processing activities (a "DP Claim"), it shall promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim.
- Where the DP Claim concerns the respective processing activities of one Party only, then that Party shall assume sole responsibility for disputing or settling the DP Claim.
- Where the DP Claim concerns the respective processing activities of both Parties, then the Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the DP Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.
- LIABILITY
- Notwithstanding anything else in the Agreement, the total liability of either Party towards the other party under or in connection with this DPA will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement.
- PRIORITY
- If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
- If there is any conflict or inconsistency between the terms of this DPA and the Standard Contractual Clauses, the terms of the Standard Contractual Clauses will govern.
- CHANGES TO THIS DPA.
- Company may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the parties as independent controllers of Personal Data under the Data Protection Laws; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Affiliate Partner, as reasonably determined by Company.
- If Company intends to change this DPA under this section, and such change will have a material adverse impact on Affiliate Partner, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Affiliate Partner at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.
- If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective processing activities.